Google OAuth 2.0 - Incremental authorization with offline access
I'm trying to implement incremental authorization with Google Oauth2 in my application.
At first, when users sign in, the application is requesting some scopes and offline access. I'm generating and storing the refreshToken in my database so I can refresh access tokens to make API calls when needed.
Now I'm going to implement a new functionality that will request a new scope, but I would like to ask for this scope only if users try to use this new functionality.
The problem I'm facing is that, when the application promts users to consent for new scope, Google is requesting access for all the previously accepted scopes.
I have tried without offline access (using 'grant' method) and it seems to be working (as the description says 'Request additional scopes to the user.'). Doing that, Google is only requesting new scope and the access token generated seems to work fine. But if I try with offline access (using 'grantOfflineAccess' method), Google asks for all the scopes. If I accept all the scopes again, it returns an authorization code and I can generate the refreshToken again, but I would like to do that only accepting the new scope.
I was wondering maybe it's not possible to do it when requesting offline access, as you need to generate a new refreshToken with all the scopes, but I couldn't find any information about this.
Am I doing anything wrong or is it not possible to achieve this with offline access?
UPDATE: Also generating the URL (instead of using the JS library) as explained here, Google asks for all the scopes. This would be an example of the generated URL:
https://accounts.google.com/o/oauth2/v2/auth?
scope=my_new_scope&
redirect_uri=https://myapp.example.com/callback&
response_type=code&
client_id=my_client_id&
prompt=consent&
include_granted_scopes=true
UPDATE2: I've found a reported issue here, where someone commented that it's not possible to do it for installed applications. But there is a comment explaining how to do it with web server flow, these are the steps using OAuth2 playground (https://developers.google.com/oauthplayground):
1) Select the Google Calendar scope.
2) Authorize access
3) Exchange code for token.
4) Make request to the token info endpoint: https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=...
5) Verify that the token only contains the Google Calendar scope.
6) De-select the Google Calendar scope and select the Google Drive scope.
7) Edit the URL in the authorization window and append &include_granted_scopes=true.
8) Authorize the Drive scope.
9) Exchange the code for a token.
10) Make request to the token info endpoint.
11) Verify that it contains both the Calendar and Drive scopes.
Doing the same I get Calendar scope in the first verification and Drive scope in the second one. Even using the refresh token I cannot get an access token with both scopes. After that, and this is pretty strange, I've checked the applications with access to my account and OAuth2 playground has both scopes:
Thank you in advance!
I've finally accomplished to implement incremental authorization using JS library. Using grantOfflineAccess function you can send the new scopes you want to request. By default include_granted_scopes is true when you use gapi.auth2.authorize.
So you just need to send the new scopes, for example:
GoogleUser.grantOfflineAccess({scope: 'https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/calendar'}
Then you will receive an authorization code to exchange for a refreshToken. You can check everything works by generating an access_token with the new refreshToken and calling the token info endpoint: https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=...
I'm sure this was something I've tried at first, so I guess I was doing something wrong.
Anyways, I have decided to not use incremental authorization due to an issue with the library. Basically the problem is that, for a better user experience and to avoid problems, you should be able to use prompt: 'consent' so the user doesn't need to select an account to accept new scopes. But this is not possible and you could have problems if users select different accounts to accept different scopes from your application.
- Dismiss/Cancel button with auto login flow using Credential Manager on Android
- New google sign in disappears after refreshing page
- Keep getting the error Google Sign-In Error: PlatformException(sign_in_failed, com.google.android.gms.common.api.ApiException: 10: , null, null)
- com.android.build.transform.api.TransformException
- google_sign_in plugin: PlatformException(sign_in_failed, com.google.android.gms.common.api.ApiException: 10: , null)
- "Provided value to SecureStore is larger than 2048 bytes" while trying to store Google OAuth token
- Flutter MacOS : Additional implementation for sign in with google
- 'Your app is missing support for the following URL schemes: com .googleusercontent.apps.xxx'
- Flutter app crashes on Android after it calls "await GoogleSignIn().signIn();"
- I got this error when i try to SignIN[GSI_LOGGER-TOKEN_CLIENT]: The OAuth token was not passed to gapi.client - Flutter,GoogleSignIn
- How to remove access when using Credential Manager?
- Can I customize UI when using credential manager Authenticate users with Sign in with Google
- Logged in but cant get the user data
- [Credential Manager]Automatic login won't select the last account used when multiple Google accounts are present
- Android Credential Manager: what's the differences between GetSignInWithGoogleOption and GetGoogleIdOption
- What does revoking/unlinking an auth provider in Firebase Authentication do?
- Get serverAuthCode using Credential Manager
- When implementing Google Sign-In on Android, iOS, is it possible to indicate in the google account sign-in popup that only email address will be used?
- Do we need android folder in expo while building production build?
- How should I use the id token returned to me by Google after a successful code exchange?
- Issue with Session Data Persistence in Google OAuth Login Integration
- How to verify google auth token at server side in node js?
- correct way to implement google login
- expo-auth-session/providers/google not working on standalone app: invalid_scheme
- Unhandled Exception: PlatformException(sign_in_failed, com.google.android.gms.common.api.ApiException: 10: , null, null)
- JWT token not yet valid
- When authorizing with the Android Authorization API, how can I prevent the permission confirmation popup from appearing every time?
- Temporary block when using Credential Manager to Sign in with Google
- [GSI_LOGGER]: FedCM get() rejects with IdentityCredentialError: Error retrieving a token
- OAuth 2.0 Single Client Configuration for Web and Mobile Applications